Open-Xchange Security Advisory 2021-07-19

[Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>]

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Product: OX Documents
Vendor: OX Software GmbH


Internal reference: DOCS-3199
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: imageconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev14, 7.10.4-rev8, 7.10.5-rev5
Vendor notification: 2021-01-26
Solution date: 2021-02-16
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28093
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Vulnerability Details:
Converted images are cached for faster processing when requesting the same resource again. This cache used a weak 
mechanisms (Adler32) to create cache keys, vulnerable accidental or purposeful hash colissions.

Risk:
Image content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity.

Steps to reproduce:
1. Create two image files that would generate the same hash key
2. Upload both files
3. View Image A
4. View Image B - The content of Image A will be served from the cache

Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.



---



Internal reference: DOCS-3200
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev34, 7.10.4-rev20, 7.10.5-rev7
Vendor notification: 2021-01-26
Solution date: 2021-02-15
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28094
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Vulnerability Details:
Converted documents are cached for faster processing when requesting the same resource again. This cache used a weak 
mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions.

Risk:
Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity.

Steps to reproduce:
1. Create two document files that would generate the same hash key
2. Upload both files
3. View document A
4. View document B - The content of document A will be served from the cache

Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.



---



Internal reference: DOCS-3201
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev10, 7.10.4-rev8, 7.10.5-rev5
Vendor notification: 2021-01-26
Solution date: 2021-02-15
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28095
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Vulnerability Details:
Documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms 
(CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions.

Risk:
Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity.

Steps to reproduce:
1. Create two documents that contain XML structures which create a hash collision
2. Upload both files
3. Edit document A
4. Edit document B - The content of document A will be served from the cache

Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.

Attachment: signature.asc
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/